From: Greg Kroah-Hartman Date: Tue, 9 Jun 2026 10:47:14 +0000 (+0200) Subject: 5.10 staging is now real X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8e5bfcb7cc0c5e2ab98da479f25527669790c419;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10 staging is now real --- diff --git a/staging-5.10/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch b/staging-5.10/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch deleted file mode 100644 index cc63302d7a..0000000000 --- a/staging-5.10/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch +++ /dev/null @@ -1,139 +0,0 @@ -From dba101d1996094f95b55756577c12d387d51f62a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 26 Apr 2026 01:26:43 +0000 -Subject: bpf: Free reuseport cBPF prog after RCU grace period. - -From: Kuniyuki Iwashima - -[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ] - -Eulgyu Kim reported the splat below with a repro. [0] - -The repro sets up a UDP reuseport group with a cBPF prog and -replaces it with a new one while another thread is sending -a UDP packet to the group. - -The reuseport prog is freed by sk_reuseport_prog_free(). -bpf_prog_put() is called for "e"BPF prog to destruct through -multiple stages while cBPF prog is freed immediately by -bpf_release_orig_filter() and bpf_prog_free(). - -If a reuseport prog is detached from the setsockopt() path -(reuseport_attach_prog() or reuseport_detach_prog()), -sk_reuseport_prog_free() is called without waiting for RCU -readers to complete, resulting in various bugs. - -Let's defer freeing the reuseport cBPF prog after one RCU -grace period. - -Note "e"BPF prog is safe as is unless the fast path starts -to touch fields destroyed in bpf_prog_put_deferred() and -__bpf_prog_put_noref(). - -[0]: -BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 -Read of size 4 at addr ffffc9000051e004 by task slowme/10208 -CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) -Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 -Call Trace: - - dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 - print_address_description mm/kasan/report.c:378 [inline] - print_report+0xca/0x240 mm/kasan/report.c:482 - kasan_report+0x118/0x150 mm/kasan/report.c:595 - reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 - udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 - __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723 - __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752 - __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752 - ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 - ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 - NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 - NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 - __netif_receive_skb_one_core net/core/dev.c:6181 [inline] - __netif_receive_skb net/core/dev.c:6294 [inline] - process_backlog+0xaa4/0x1960 net/core/dev.c:6645 - __napi_poll+0xae/0x340 net/core/dev.c:7709 - napi_poll net/core/dev.c:7772 [inline] - net_rx_action+0x5d7/0xf50 net/core/dev.c:7929 - handle_softirqs+0x22b/0x870 kernel/softirq.c:622 - do_softirq+0x76/0xd0 kernel/softirq.c:523 - - - __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450 - local_bh_enable include/linux/bottom_half.h:33 [inline] - rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] - __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890 - neigh_output include/net/neighbour.h:556 [inline] - ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237 - NF_HOOK_COND include/linux/netfilter.h:307 [inline] - ip_output+0x29f/0x450 net/ipv4/ip_output.c:438 - ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508 - udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195 - udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 - sock_sendmsg_nosec net/socket.c:727 [inline] - __sock_sendmsg net/socket.c:742 [inline] - __sys_sendto+0x554/0x680 net/socket.c:2206 - __do_sys_sendto net/socket.c:2213 [inline] - __se_sys_sendto net/socket.c:2209 [inline] - __x64_sys_sendto+0xde/0x100 net/socket.c:2209 - do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] - do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94 - entry_SYSCALL_64_after_hwframe+0x77/0x7f -RIP: 0033:0x415a2d -Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d -RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 -RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 -R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0 -R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0 - - -Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF") -Reported-by: Eulgyu Kim -Reported-by: Taeyang Lee <0wn@theori.io> -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Daniel Borkmann -Acked-by: Daniel Borkmann -Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com -Signed-off-by: Sasha Levin ---- - net/core/filter.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/net/core/filter.c b/net/core/filter.c -index 5fbce37db28323..27550e8b05a655 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -1640,15 +1640,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk) - return err; - } - -+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu) -+{ -+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); -+ struct bpf_prog *prog = aux->prog; -+ -+ bpf_release_orig_filter(prog); -+ bpf_prog_free(prog); -+} -+ - void sk_reuseport_prog_free(struct bpf_prog *prog) - { - if (!prog) - return; - -- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT) -- bpf_prog_put(prog); -+ if (bpf_prog_was_classic(prog)) -+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu); - else -- bpf_prog_destroy(prog); -+ bpf_prog_put(prog); - } - - struct bpf_scratchpad { --- -2.53.0 - diff --git a/staging-5.10/compiler-clang.h-add-__diag-infrastructure-for-clang.patch b/staging-5.10/compiler-clang.h-add-__diag-infrastructure-for-clang.patch deleted file mode 100644 index 47bcff4aac..0000000000 --- a/staging-5.10/compiler-clang.h-add-__diag-infrastructure-for-clang.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ed74ef50ca68bf8f00d4a284a48400cfd376ec85 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 5 Mar 2022 04:16:42 +0530 -Subject: compiler-clang.h: Add __diag infrastructure for clang - -From: Nathan Chancellor - -commit f014a00bbeb09cea16017b82448d32a468a6b96f upstream. - -Add __diag macros similar to those in compiler-gcc.h, so that warnings -that need to be adjusted for specific cases but not globally can be -ignored when building with clang. - -Signed-off-by: Nathan Chancellor -Signed-off-by: Kumar Kartikeya Dwivedi -Signed-off-by: Alexei Starovoitov -Link: https://lore.kernel.org/bpf/20220304224645.3677453-6-memxor@gmail.com - -[ Kartikeya: wrote commit message ] - -Signed-off-by: Nathan Chancellor -Signed-off-by: Sasha Levin ---- - include/linux/compiler-clang.h | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h -index d9376e327d665f..fae3775d02b516 100644 ---- a/include/linux/compiler-clang.h -+++ b/include/linux/compiler-clang.h -@@ -126,3 +126,25 @@ - #if __has_feature(shadow_call_stack) - # define __noscs __attribute__((__no_sanitize__("shadow-call-stack"))) - #endif -+ -+/* -+ * Turn individual warnings and errors on and off locally, depending -+ * on version. -+ */ -+#define __diag_clang(version, severity, s) \ -+ __diag_clang_ ## version(__diag_clang_ ## severity s) -+ -+/* Severity used in pragma directives */ -+#define __diag_clang_ignore ignored -+#define __diag_clang_warn warning -+#define __diag_clang_error error -+ -+#define __diag_str1(s) #s -+#define __diag_str(s) __diag_str1(s) -+#define __diag(s) _Pragma(__diag_str(clang diagnostic s)) -+ -+#if CONFIG_CLANG_VERSION >= 110000 -+#define __diag_clang_11(s) __diag(s) -+#else -+#define __diag_clang_11(s) -+#endif --- -2.53.0 - diff --git a/staging-5.10/disable-wattribute-alias-for-clang-23-and-newer.patch b/staging-5.10/disable-wattribute-alias-for-clang-23-and-newer.patch deleted file mode 100644 index f288de3cb6..0000000000 --- a/staging-5.10/disable-wattribute-alias-for-clang-23-and-newer.patch +++ /dev/null @@ -1,121 +0,0 @@ -From e63d213f19a7f0c5ad532a66da7a82c625c3867f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 16 May 2026 04:34:14 +0900 -Subject: Disable -Wattribute-alias for clang-23 and newer - -From: Nathan Chancellor - -commit 175db11786bde9061db526bf1ac5107d915f5163 upstream. - -Clang recently added support for -Wattribute-alias [1], which results in -the same warnings that necessitated commit bee20031772a ("disable --Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC. - - kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias] - 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds) - | ^ - include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1' - 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) - | ^ - include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx' - 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) - | ^ - include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx' - 251 | __attribute__((alias(__stringify(__se_sys##name)))); \ - | ^ - kernel/time/itimer.c:325:1: note: aliasee is declared here - include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1' - 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) - | ^ - include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx' - 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) - | ^ - include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx' - 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ - | ^ - :16:1: note: expanded from here - 16 | __se_sys_alarm - | ^ - -Disable the warnings in the same way for clang-23 and newer. Disable the -warning about unknown warning options to avoid breaking the build for -versions of clang-23 that do not have -Wattribute-alias, such as ones -deployed by vendors like Android or CI systems or when bisecting LLVM -between llvmorg-23-init and release/23.x. - -Cc: stable@vger.kernel.org -Closes: https://github.com/ClangBuiltLinux/linux/issues/2163 -Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1] -Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org -[nathan: Drop arch/riscv hunk in older trees and address conflicts] -Signed-off-by: Nathan Chancellor -Signed-off-by: Sasha Levin ---- - include/linux/compat.h | 4 ++++ - include/linux/compiler-clang.h | 6 ++++++ - include/linux/compiler_types.h | 4 ++++ - include/linux/syscalls.h | 4 ++++ - 4 files changed, 18 insertions(+) - -diff --git a/include/linux/compat.h b/include/linux/compat.h -index 8dffffe846ce54..93c9bbec96acba 100644 ---- a/include/linux/compat.h -+++ b/include/linux/compat.h -@@ -75,6 +75,10 @@ - __diag_push(); \ - __diag_ignore(GCC, 8, "-Wattribute-alias", \ - "Type aliasing is used to sanitize syscall arguments");\ -+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \ -+ "Avoid breaking versions without -Wattribute-alias"); \ -+ __diag_ignore(clang, 23, "-Wattribute-alias", \ -+ "Type aliasing is used to sanitize syscall arguments"); \ - asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)); \ - asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ - __attribute__((alias(__stringify(__se_compat_sys##name)))); \ -diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h -index fae3775d02b516..a8953f9c766bcf 100644 ---- a/include/linux/compiler-clang.h -+++ b/include/linux/compiler-clang.h -@@ -148,3 +148,9 @@ - #else - #define __diag_clang_11(s) - #endif -+ -+#if CONFIG_CLANG_VERSION >= 230000 -+#define __diag_clang_23(s) __diag(s) -+#else -+#define __diag_clang_23(s) -+#endif -diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h -index 9cecd02c1280a9..88cc4457297d22 100644 ---- a/include/linux/compiler_types.h -+++ b/include/linux/compiler_types.h -@@ -320,6 +320,10 @@ struct ftrace_likely_data { - #define __diag_GCC(version, severity, string) - #endif - -+#ifndef __diag_clang -+#define __diag_clang(version, severity, string) -+#endif -+ - #define __diag_push() __diag(push) - #define __diag_pop() __diag(pop) - -diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h -index a96e924c7b45ed..339a35aad83935 100644 ---- a/include/linux/syscalls.h -+++ b/include/linux/syscalls.h -@@ -236,6 +236,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event) - __diag_push(); \ - __diag_ignore(GCC, 8, "-Wattribute-alias", \ - "Type aliasing is used to sanitize syscall arguments");\ -+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \ -+ "Avoid breaking versions without -Wattribute-alias");\ -+ __diag_ignore(clang, 23, "-Wattribute-alias", \ -+ "Type aliasing is used to sanitize syscall arguments");\ - asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ - __attribute__((alias(__stringify(__se_sys##name)))); \ - ALLOW_ERROR_INJECTION(sys##name, ERRNO); \ --- -2.53.0 - diff --git a/staging-5.10/hid-core-add-printk_ratelimited-variants-to-hid_warn.patch b/staging-5.10/hid-core-add-printk_ratelimited-variants-to-hid_warn.patch deleted file mode 100644 index e9c1cc6957..0000000000 --- a/staging-5.10/hid-core-add-printk_ratelimited-variants-to-hid_warn.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5caad7b86a7a1651a92e28c7d5df8b6d6114e265 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Jun 2026 11:02:23 +0100 -Subject: HID: core: Add printk_ratelimited variants to hid_warn() etc - -From: Vicki Pfau - -[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ] - -hid_warn_ratelimited() is needed. Add the others as part of the block. - -Signed-off-by: Vicki Pfau -Signed-off-by: Jiri Kosina -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - include/linux/hid.h | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 03627c96d81457..ab56fffb74a200 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -1217,4 +1217,15 @@ do { \ - #define hid_dbg_once(hid, fmt, ...) \ - dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__) - -+#define hid_err_ratelimited(hid, fmt, ...) \ -+ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) -+#define hid_notice_ratelimited(hid, fmt, ...) \ -+ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) -+#define hid_warn_ratelimited(hid, fmt, ...) \ -+ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) -+#define hid_info_ratelimited(hid, fmt, ...) \ -+ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) -+#define hid_dbg_ratelimited(hid, fmt, ...) \ -+ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) -+ - #endif --- -2.53.0 - diff --git a/staging-5.10/hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch b/staging-5.10/hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch deleted file mode 100644 index 16248233f7..0000000000 --- a/staging-5.10/hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 651ac05ebcdab9ea3a41e1d85220ad9129d7c490 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Jun 2026 11:02:25 +0100 -Subject: HID: core: Fix size_t specifier in hid_report_raw_event() - -From: Nathan Chancellor - -[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ] - -When building for 32-bit platforms, for which 'size_t' is -'unsigned int', there are warnings around using the incorrect format -specifier to print bsize in hid_report_raw_event(): - - drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat] - 2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", - | ~~~ - | %zu - 2054 | report->id, csize, bsize); - | ^~~~~ - drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat] - 2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", - | ~~~ - | %zu - 2076 | report->id, rsize, bsize); - | ^~~~~ - -Use the proper 'size_t' format specifier, '%zu', to clear up the -warnings. - -Cc: stable@vger.kernel.org -Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event") -Reported-by: Miguel Ojeda -Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/ -Signed-off-by: Nathan Chancellor -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -(cherry picked from commit 3ab135238832446399614e7a4bb796d620717806) -Signed-off-by: Lee Jones -(cherry picked from commit 0f77a993b5426cca1b046c9ab4b2f8355a4d45dc) -Signed-off-by: Lee Jones -(cherry picked from commit 70333a8f866aad8cbd6956e2ec4ace159fa4243b) -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index c73f4ac16fdf24..918c66d5bc93f6 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1793,7 +1793,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, - return 0; - - if (unlikely(bsize < csize)) { -- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", -+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n", - report->id, csize, bsize); - return -EINVAL; - } -@@ -1815,7 +1815,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, - rsize = max_buffer_size; - - if (bsize < rsize) { -- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", -+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n", - report->id, rsize, bsize); - return -EINVAL; - } --- -2.53.0 - diff --git a/staging-5.10/hid-pass-the-buffer-size-to-hid_report_raw_event.patch b/staging-5.10/hid-pass-the-buffer-size-to-hid_report_raw_event.patch deleted file mode 100644 index 91b2550750..0000000000 --- a/staging-5.10/hid-pass-the-buffer-size-to-hid_report_raw_event.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 05c162178d5f6ec2e6f12bc4599977f0fd9b0573 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Jun 2026 11:02:24 +0100 -Subject: HID: pass the buffer size to hid_report_raw_event - -From: Benjamin Tissoires - -[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ] - -commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing -bogus memset()") enforced the provided data to be at least the size of -the declared buffer in the report descriptor to prevent a buffer -overflow. However, we can try to be smarter by providing both the buffer -size and the data size, meaning that hid_report_raw_event() can make -better decision whether we should plaining reject the buffer (buffer -overflow attempt) or if we can safely memset it to 0 and pass it to the -rest of the stack. - -Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires -Acked-by: Johan Hovold -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Jiri Kosina -Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()") -Signed-off-by: Sasha Levin -(cherry picked from commit 509c2605065004fc4cd86ee50a9350d402785307) -[Lee: Backported to linux-6.12.y and beyond] -Signed-off-by: Lee Jones -(cherry picked from commit f9393998660f146970047bda31526aeb96190f28) -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-core.c | 29 ++++++++++++++++++++++------- - drivers/hid/hid-gfrm.c | 4 ++-- - drivers/hid/hid-logitech-hidpp.c | 2 +- - drivers/hid/hid-multitouch.c | 2 +- - drivers/hid/hid-primax.c | 2 +- - drivers/hid/hid-vivaldi.c | 2 +- - drivers/hid/wacom_sys.c | 6 +++--- - drivers/staging/greybus/hid.c | 2 +- - include/linux/hid.h | 4 ++-- - 9 files changed, 34 insertions(+), 19 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index aa9ae6ccb28a8f..c73f4ac16fdf24 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1775,8 +1775,8 @@ int __hid_request(struct hid_device *hid, struct hid_report *report, - } - EXPORT_SYMBOL_GPL(__hid_request); - --int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, -- int interrupt) -+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, -+ size_t bufsize, u32 size, int interrupt) - { - struct hid_report_enum *report_enum = hid->report_enum + type; - struct hid_report *report; -@@ -1784,16 +1784,24 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, - int max_buffer_size = HID_MAX_BUFFER_SIZE; - unsigned int a; - u32 rsize, csize = size; -+ size_t bsize = bufsize; - u8 *cdata = data; - int ret = 0; - - report = hid_get_report(report_enum, data); - if (!report) -- goto out; -+ return 0; -+ -+ if (unlikely(bsize < csize)) { -+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", -+ report->id, csize, bsize); -+ return -EINVAL; -+ } - - if (report_enum->numbered) { - cdata++; - csize--; -+ bsize--; - } - - rsize = hid_compute_report_size(report); -@@ -1806,9 +1814,15 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, - else if (rsize > max_buffer_size) - rsize = max_buffer_size; - -+ if (bsize < rsize) { -+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", -+ report->id, rsize, bsize); -+ return -EINVAL; -+ } -+ - if (csize < rsize) { - dbg_hid("report %d is too short, (%d < %d)\n", report->id, -- csize, rsize); -+ csize, rsize); - memset(cdata + csize, 0, rsize - csize); - } - -@@ -1817,7 +1831,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, - if (hid->claimed & HID_CLAIMED_HIDRAW) { - ret = hidraw_report_event(hid, data, size); - if (ret) -- goto out; -+ return ret; - } - - if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { -@@ -1830,7 +1844,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, - - if (hid->claimed & HID_CLAIMED_INPUT) - hidinput_report_event(hid, report); --out: -+ - return ret; - } - EXPORT_SYMBOL_GPL(hid_report_raw_event); -@@ -1851,6 +1865,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i - struct hid_report_enum *report_enum; - struct hid_driver *hdrv; - struct hid_report *report; -+ size_t bufsize = size; - int ret = 0; - - if (!hid) -@@ -1889,7 +1904,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i - goto unlock; - } - -- ret = hid_report_raw_event(hid, type, data, size, interrupt); -+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt); - - unlock: - up(&hid->driver_input_lock); -diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c -index 699186ff2349e9..d2a56bf92b416e 100644 ---- a/drivers/hid/hid-gfrm.c -+++ b/drivers/hid/hid-gfrm.c -@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report, - switch (data[1]) { - case GFRM100_SEARCH_KEY_DOWN: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn, -- sizeof(search_key_dn), 1); -+ sizeof(search_key_dn), sizeof(search_key_dn), 1); - break; - - case GFRM100_SEARCH_KEY_AUDIO_DATA: -@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report, - - case GFRM100_SEARCH_KEY_UP: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up, -- sizeof(search_key_up), 1); -+ sizeof(search_key_up), sizeof(search_key_up), 1); - break; - - default: -diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c -index 98562a0ed0c338..d31f2737b13dca 100644 ---- a/drivers/hid/hid-logitech-hidpp.c -+++ b/drivers/hid/hid-logitech-hidpp.c -@@ -3176,7 +3176,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp, - memcpy(&consumer_report[1], &data[3], 4); - /* We are called from atomic context */ - hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT, -- consumer_report, 5, 1); -+ consumer_report, sizeof(consumer_report), 5, 1); - - return 1; - } -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index 948bd59ab5d21f..c3bcc23d7c7ca1 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -449,7 +449,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, -- size, 0); -+ size, size, 0); - if (ret) - dev_warn(&hdev->dev, "failed to report feature\n"); - } -diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c -index 1e6413d07cae21..16e2a811eda9f0 100644 ---- a/drivers/hid/hid-primax.c -+++ b/drivers/hid/hid-primax.c -@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report, - data[0] |= (1 << (data[idx] - 0xE0)); - data[idx] = 0; - } -- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0); -+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0); - return 1; - - default: /* unknown report */ -diff --git a/drivers/hid/hid-vivaldi.c b/drivers/hid/hid-vivaldi.c -index d57ec17670379c..fdfea1355ee782 100644 ---- a/drivers/hid/hid-vivaldi.c -+++ b/drivers/hid/hid-vivaldi.c -@@ -126,7 +126,7 @@ static void vivaldi_feature_mapping(struct hid_device *hdev, - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data, -- report_len, 0); -+ report_len, report_len, 0); - if (ret) { - dev_warn(&hdev->dev, "failed to report feature %d\n", - field->report->id); -diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c -index 641898bde9c730..5043bc809aaeb5 100644 ---- a/drivers/hid/wacom_sys.c -+++ b/drivers/hid/wacom_sys.c -@@ -79,7 +79,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev, - int err; - - size = kfifo_out(fifo, buf, sizeof(buf)); -- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false); -+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false); - if (err) { - hid_warn(hdev, "%s: unable to flush event due to error %d\n", - __func__, err); -@@ -324,7 +324,7 @@ static void wacom_feature_mapping(struct hid_device *hdev, - data, n, WAC_CMD_RETRIES); - if (ret == n && features->type == HID_GENERIC) { - ret = hid_report_raw_event(hdev, -- HID_FEATURE_REPORT, data, n, 0); -+ HID_FEATURE_REPORT, data, n, n, 0); - } else if (ret == 2 && features->type != HID_GENERIC) { - features->touch_max = data[1]; - } else { -@@ -386,7 +386,7 @@ static void wacom_feature_mapping(struct hid_device *hdev, - data, n, WAC_CMD_RETRIES); - if (ret == n) { - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, -- data, n, 0); -+ data, n, n, 0); - } else { - hid_warn(hdev, "%s: could not retrieve sensor offsets\n", - __func__); -diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c -index ed706f39e87a19..d68f60da0dd169 100644 ---- a/drivers/staging/greybus/hid.c -+++ b/drivers/staging/greybus/hid.c -@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report) - * we just need to setup the input fields, so using - * hid_report_raw_event is safe. - */ -- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1); -+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1); - } - - static void gb_hid_init_reports(struct gb_hid *ghid) -diff --git a/include/linux/hid.h b/include/linux/hid.h -index ab56fffb74a200..aaae2fecd4ae6e 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -1175,8 +1175,8 @@ static inline u32 hid_report_len(struct hid_report *report) - return DIV_ROUND_UP(report->size, 8) + (report->id > 0); - } - --int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, -- int interrupt); -+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, -+ size_t bufsize, u32 size, int interrupt); - - /* HID quirks API */ - unsigned long hid_lookup_quirk(const struct hid_device *hdev); --- -2.53.0 - diff --git a/staging-5.10/series b/staging-5.10/series deleted file mode 100644 index 88cacf0b05..0000000000 --- a/staging-5.10/series +++ /dev/null @@ -1,7 +0,0 @@ -bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch -hid-core-add-printk_ratelimited-variants-to-hid_warn.patch -hid-pass-the-buffer-size-to-hid_report_raw_event.patch -hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch -usb-serial-mct_u232-fix-memory-corruption-with-small.patch -compiler-clang.h-add-__diag-infrastructure-for-clang.patch -disable-wattribute-alias-for-clang-23-and-newer.patch diff --git a/staging-5.10/usb-serial-mct_u232-fix-memory-corruption-with-small.patch b/staging-5.10/usb-serial-mct_u232-fix-memory-corruption-with-small.patch deleted file mode 100644 index 8fe7684f45..0000000000 --- a/staging-5.10/usb-serial-mct_u232-fix-memory-corruption-with-small.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 88ac9d3ecb476d111f8b9bda679669bc065ef860 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Jun 2026 14:11:33 +0200 -Subject: USB: serial: mct_u232: fix memory corruption with small endpoint - -From: Johan Hovold - -commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream. - -The driver overrides the maximum transfer size for a specific device -which only accepts 16 byte packets for its 32 byte bulk-out endpoint. - -Make sure to never increase the maximum transfer size to prevent slab -corruption should a malicious device report a smaller endpoint max -packet size than expected. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Cc: stable@vger.kernel.org -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Sasha Levin ---- - drivers/usb/serial/mct_u232.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c -index 04f16d4a0a68ad..8842a1db72b396 100644 ---- a/drivers/usb/serial/mct_u232.c -+++ b/drivers/usb/serial/mct_u232.c -@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port) - { - struct usb_serial *serial = port->serial; - struct mct_u232_private *priv; -+ u16 pid; - - /* check first to simplify error handling */ - if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { -@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port) - return -ENODEV; - } - -+ /* -+ * Compensate for a hardware bug: although the Sitecom U232-P25 -+ * device reports a maximum output packet size of 32 bytes, -+ * it seems to be able to accept only 16 bytes (and that's what -+ * SniffUSB says too...) -+ */ -+ pid = le16_to_cpu(serial->dev->descriptor.idProduct); -+ if (pid == MCT_U232_SITECOM_PID) -+ port->bulk_out_size = min(16, port->bulk_out_size); -+ - priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (!priv) - return -ENOMEM; -@@ -412,7 +423,6 @@ static int mct_u232_port_remove(struct usb_serial_port *port) - - static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) - { -- struct usb_serial *serial = port->serial; - struct mct_u232_private *priv = usb_get_serial_port_data(port); - int retval = 0; - unsigned int control_state; -@@ -420,15 +430,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) - unsigned char last_lcr; - unsigned char last_msr; - -- /* Compensate for a hardware bug: although the Sitecom U232-P25 -- * device reports a maximum output packet size of 32 bytes, -- * it seems to be able to accept only 16 bytes (and that's what -- * SniffUSB says too...) -- */ -- if (le16_to_cpu(serial->dev->descriptor.idProduct) -- == MCT_U232_SITECOM_PID) -- port->bulk_out_size = 16; -- - /* Do a defined restart: the normal serial device seems to - * always turn on DTR and RTS here, so do the same. I'm not - * sure if this is really necessary. But it should not harm --- -2.53.0 -